Gmail 2FA Cyber Attacks—Open Another Account Before It's Too Late

Open a second Gmail account now

SOPA Images/LightRocket via Getty Images

Update, Nov. 04, 2024: This story, originally published Nov. 03, now includes step-by-step details regarding the use of Google’s Advanced Protection Program, which can help keep all your Gmail accounts more secure.

Google really does take your security seriously and has been proving as much by the swathe of increasingly sophisticated protections against cyber attack it has introduced in recent months. With an estimated 2.5 billion active users, one of the main targets for hackers is your Gmail account. As reports of the latest session cookie stealing, two-factor authentication bypassing, cyber attacks against Gmail users flood in; there’s one surprisingly simple defensive action you can take right now to help protect your email. However, you need to do it now as otherwise it could be too late to help you if you fall victim to a 2FA-bypass Gmail attack: open a second Gmail account and add one rule to protect your data.

ForbesNew Password Hack Attack—LastPass, Chrome, Facebook, Netflix, PayPal Users At RiskBy Davey Winder

Open A Second Gmail Account To Backup Your Email Data

Imagine waking up to find that your Google account has been hacked and you are now locked out of access to your Gmail inbox as a result. For far too many people, that nightmare vision is all too much a reality as hackers employ session cookie-stealing techniques to bypass 2FA protections attack. Cybercrime agencies quite rightly warn users of online accounts to protect them with 2FA wherever it is available as an option. Google has introduced secure passkey sign-in access across devices and includes safe browsing protections for Chrome users. Yet still the attackers deploy increasingly sophisticated methods to get around those protections including, as I recently reported, tools to bypass even the stringent application-bound encryption process Google has in place to prevent cookie theft.

So, how does opening a second Gmail account help prevent 2FA-bypass cyber attacks? The brutal truth is that it doesn’t. It can, however, help mitigate the impact of such an attack. All the mitigations mentioned in this article still apply, and I heartily recommend that you ensure they are in place before doing anything else.

The impetus to write this article was a question posed in the Gmail subreddit by a Gmail user whose main account had been compromised, despite having 2FA in place, and wanted to know if setting up a second account could be done without it being compromised by the same threat actor.

ForbesNew Gmail Security Alert For 2.5 Billion Users As AI Hack ConfirmedBy Davey Winder

Rather than prevent a security compromise, a second Gmail account can act as a backup to the important and often irreplaceable information that your email inbox contains.

How To Securely Setup A Second Gmail Account

With Google offering Gmail as a totally free web-based email platform, setting up multiple accounts is incredibly easy. I myself have lost count of the number I have, although I only use two or three regularly. The account creation process is as simple as one, two, three:

Sign out of your Google Account. Go to the Google Account sign-in page. Click on create account.

To ensure that this new account is as secure as possible, and less likely to be compromised by a threat actor who successfully attacks the original one, use a passkey tied to a different device than the first, or two-factor authentication that uses a standalone 2FA code-generating app rather than via SMS to the same telephone number as previously. Indeed, try and use as much completely unique information as possible when creating the new account. Once you have the account created, then head to your original Gmail account settings and set up a forwarding rule that sends a copy of all email to the second account. This way you’ll have a backup should the worse happen. Remember, by applying the sensible mitigations detailed in those linked resources and not adopting insecure habits, your account should be safe from attack.

ForbesGmail Hackers Have Control Of 2FA, Email And Number? Here’s What To DoBy Davey Winder

If someone did manage to hack your original account, and it is forwarding email to your second Gmail account, that doesn’t mean both will be compromised. As these are separate accounts, the hacker would need to compromise them as separate entities. Here’s hoping you never get your Gmail account compromised, but it’s always good to have a plan just in case.

Google’s Advanced Protection Program Can Help Secure Your Gmail Accounts

And talking of plans, I would also recommend signing all your Gmail accounts up to Google’s advanced protection program, which makes it much harder for anyone to compromise those accounts in the first place, providing additional layers of security when recovering a compromised account for good measure.

Enrol in Google's Advanced Protection Program for the strongest Gmail account defense

Google

Originally rolled out in 2017, Google’s Advanced Protection Program came into being as a response to the increasingly sophisticated evolution of phishing schemes and other cyber attack methodologies targeting “high-risk users” such as politicians, activists, dissidents, high-worth individuals and journalists. As the latter of these, I signed up early doors and now advise everyone who is concerned about the security of their Google account and subsidiary products such as Gmail and Drive that hang from it to do the same.

The main downside, historically, has been the cost of entry to this free advanced security club: the purchase of a pair of hardware security keys. Now, however, membership really is free as Google enables enrollment using passkeys instead. “Passkeys give high-risk users the option to rely on the ease and security that comes with using personal devices they already own,” Shuvo Chatterjee, the product lead of Google’s Advanced Protection Program, said, “as opposed to another device or tool like a security key, for phishing-resistant authentication.”

How To Sign Up To The Advanced Protection Program And Add Another Layer To Your Gmail Defenses

Advanced Protection Program enrollment really couldn’t be any easier:

Visit the APP start page and click on Get Started. Verify your identity by using your existing passkey. Add a recovery phone number that you trust and can be verified. Add a recovery email address that you trust and can be verified. Hit the enrollment button. Google

When you initially sign into your Google account on any device, you must use your passkey. APP performs additional checks on downloads, if you attempt to download a potentially harmful file you will be notified or the download blocked. If you are using an Android device, APP only allows downloads from verified app stores. Advanced protection also restricts the data that apps, both Google and verified third-party ones, can access. Most non-Google apps and services are blocked from accessing data from your Gmail account. “If anyone tries to recover your account,” Google said, “Advanced Protection takes extra steps to verify your identity.” This means that it can take a few days to verify that you are who you say you are and get access to your Google account back.